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<?xml version="1.0" ?> 
- <AgentProtocoI xmins= "http://www.nai.com" 

xmins:xsi="http://www. w3.org/2001/XMLSchema~instance" 
xsi:schemaLocation="http://www.nai.com CustomActionsProtocol.xsd"> 

- <ControlData> 

<Version>0x0100O001</Version> 
<MinVersion>0x01000001</MinVersion> 
<Command>RequestCustomAction</Command> 
<Server>nedlwnts2ke</Server> 
</ControlData> 

- <CustomActions 

id="<AGENT_INSTALLED_DIR>\\CustomActionsLibrary\\CustActl.dH"> 
- <Method id="GetRegStringValue"> 

<Parameter id="Key" type="xs:string" 

inout="in"><AGENT_INSTALLED__REGKEYX/Parameter> 
<Parameter id = "Valuename" type="xs:string" 

inout="in">AgentVersion</Parameter> 
<Parameter id = "Result" type="xs:string" inout="out" /> 
</Method> 
</CustomActions> 

§_« - <CustomActions id="{06E0062A-5069-4793-ACED-F80BElBBC4AF}"> 
p - interface id = "{C9ElCC03-8007-412A-8F5D-532C57DF4482}"> 
Q - <Method id="ExecuteSiIentInstallation"> 

yp <Parameter id="ProductName" type="xs:string" 

\a inout="in">TestInstaIIProduct</Parameter> 

»p < Parameter id="ProductVersion" type="xs:decimal" 

jM= inout="in">0x01000001</Parameter> 

HI <Parameter id="Location" type="xs:string" 

- inout="in">c:\InstallImages</Parameter> 

Q <Parameter id="Result" type="xs: string" inout="out" /> 

W </Method> 

p </Interface> 

SI - <Interface id="{C9ElCC03-8007-412A-8F5D-532C57DF4482}"> 
O - <Method id="GetSystemDirectory"> 

Pj <Parameter id = "Directory" type="xs:string" inout="out" /> 

<Parameter id = "Result" type ="xs: decimal" inout="out" /> 
</Method> 
</Interface> 
</CustomActions> 

- <CustomActions id = "{06E0062B-5069-4793-ACED-F80BElBBC4AF}"> 
- interface id = ' {A000CC03-8007-412A-8F5D-532C57DF4482}"> 
- <Method id="TriggerEvent"> 

<Parameter id="EventID" type="xs:decimal" 
inout="in">1000</Parameter> 

<Parameter id = "EventDescription" type="xs:decimal" 
inout="in">The event %EventID% has been triggered by % 
USERNAME% on computer °/oCOMPUTERNAME°/o. The % 
FILENAME% file is infected with %VIRUSNAME%. This has 
been detected by engineversion %ENGINEVERSION% 
datversion °/oDATVERSION%.</Parameter> 

<Parameter id="COMPUTERNAME" type="xs:string" 
inout="in">sourcecomputer</Parameter> 

<Parameter id="USERNAME" type="xs:string" 
inout="in">sourceuser</Parameter> 

<Parameter id="FILENAME" type="xs:string" 



inout="in">kernel32.dll</Parameter> 



<Parameter id="VIRUSNAME" type="xs:string" t> 
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inout="in">Nimbda</Parameter> 
<Parameter id= ENGINEVERSION" type="xs:decimal" 

inout="in">0x0400500K/Parameter> 
<Parameter id= "DATVERSION" type= "xs:decimal" 

inout="in">Ox07003009</Parameter> 
<Parameter id="Result" type="xs:string" inout="out" /> 
</Method> 
</Interface> 
</CustomActions> 
</AgentProtocol> 
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<?xm! version="1.0" ?> 
- <AgentProtocol xmlns= "http://www.nai.com" 

xmlns:xsi="http://www. w3.org/2001/XMLSchema-instance" 
xsi:schemaLocation="http://www.nai.com CustomActionsProtocol.xsd "> 

- <ControlData> 

<Version>0x01O00001</Version> 
<MinVersion>0xO100000K/MinVersion> 
<Command>RspondToCustomAction</Command> 
<Server>nedlwnts2ke</Server> 
</Contro!Data> 

- <CustomActions 

id="<AGENT_INSTALLED_DIR>\\CustomActionsLibrary\\CustActl.dll"> 

- <Method id="GetRegStringValue"> 

<Parameter id="Result" type="xs:string" 
inout="out">5.0.1.10</Parameter> 

</Method> 
</CustomActions> 

- <CustomActions id = "<06E0062A-5069-4793-ACED-F80BElBBC4AF}"> 

- <Interface id="{C9ElCC03-8007-412A-8F5D-532C57DF4482>"> 

- <Method id= "ExecuteSilentlnstallation > 

H <Parameter id="ResuIt" type="xs:string" inout= "out">Error: Invalid 

P Image path specified. </Parameter> 

O </Method> 
<£$ </Interface> 

H - interface id = "<C9ElCC03-8007-412A-8F5D-532C57DF4482>"> 
«P - <Method id="GetSystemDirectory"> 
►f <Parameter id =" Directory" type="xs:string" 

Ifl inout="out">C:\Winnt\System32</Parameter> 
^ <Parameter id="Result" type="xs:decimal" 

& inout="out">0</Parameter> 
W </Method> 
y </Interface> 
N </CustomActions> 

- <CustomActions id = "{06E0062B-5069-4793-ACED-F80BElBBC4AF}"> 

- <Interface id="{AOOOCC03-8007-412A-8F5D-532C57DF4482>"> 

- < Method id = "TriggerEvent"> 
<Parameter id="ResuIt" type="xs:string" inout="out">Event sent to 

testcomputer2</Parameter> 
</Method> 
</Interface> 
</CustomActions> 
</AgentProtocol> 
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<?xml version ="1.0" ?> 

- <AgentProtocoi xmlns="http://www.nai.com" 

xmlns:xsi="http://www.w3,6rg/2001/XMLSchema-instance" 
xsi:schemaLocation="http://www.nai.com CustomActionsProtocol.xsd 
http://www.nai.com AgentConfiguration.xsd"> 

- <ControlData> 

<Version>Ox0100000K/Version> 
<MinVersion>0x01000001</MinVersion> 
<Command>RequestCustomAction</Command> 
<Server>nedlwnts2ke</Server> 
</ControlData> 

- <CustomActions id="RegistryMapping.dII"> 

- < Method id="WriteConfig"> 

- < Reg istryConfigu ration 

id = "HKEY_LOCAL_MACHINE\SOFTWARE\McAfee"> 
- <Product id="Alert Manager"> 

<Version>0x04070000</Version> 
<DisplayName>AIert Manager 4.7</DisplayName> 
- <Language id = "0407"> 

<Version>0xO1000002</Version> 
\a - <Event id="l"> 

Q <LONGDESCRIPT>Das ist eine Test-Nachricht von Alert 

Q Manager. </LONGDESCRIPT> 

m <SHORTDESCRIPT>Testing</SHORTDESCRIPT> 

y» <Severity>5</Severity> 

4= <Enabled>K/Enabled> 

H= </Event> 

Hi </Language> 

5 - <Language id="0409"> 

O <Version>0x01000002</Version> 

\y - < Event id="l"> 

Cj <LONGDESCRIPT>This is an alert manager test 

N messge.</LONGDESCRIPT> 
: <SHORTDESCRIPT>Testing</SHORTDESCRIPT> 
lU <Severity>0</Severity> 
<EnabIed>l</Enabled> 
</Event> 
- <Event id="2"> 

<LONGDESCRIPT>Text of event 2.</LONGDESCRIPT> 
<SHORTDESCRIPT>Testing</SHORTDESCRIPT> 
<Severity> 1</Severity> 
</Event> 
</Language> 
</Product> 
</Reg istryConf ig u ration > 
</Method> 

- <Method id="ReadConfig"> 

<RegistryConfiguration 

id = "HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\*" /> 

</Method> 
</CustomActions> 

- <CustomActions id="INIFileMapping.dll"> 

- < Method id= 'WriteConfig' > ~ 

- <FileConfiguration id="C:\Program Files\Alert \ 

Manager\AMGConfig.ini"> \\C\ » 

- <Extensions> 
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<amg>AMGConfig</amg> 
< asf > M P EG Video </asf > 
<wmp>MPEGVideo2</wmp> 
</Extensions> 
</FileConfiguration> 
</Method> 

- <Method id="ReadConfig"> 

<FileConfiguration id="C:\Program Files\Alert 
Manager\AMGConfig.ini" /> 
</Method> 
</CustomActions> 
- <CustomActions id="MAPIMapping.dll"> 

- <Method id="WriteConfig"> 

- <DAPIConfiguration id= 70=org/OU=TestSite/CN=TestContainer"> 
<BinaryProperty>0123456789ABCDEF00O00</BinaryProperty> 
</DAPIConfiguration> 
</Method> 

- <Method id="ReadConfig"> 

<DAPIConfiguration id^YO^rg/OU^estSite/CN^estContainer" /> 

</Method> 
</CustomActions> 
</AgentProtocol> 
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<?xml version="1.0" ?> 
- <AMGEvents xmlns="http://www.nai.com" 

xmlns:xsi="http://www.w3.org/2001/XMLSchema-fnstance" 
xsi.schemaLocation="http://www.nai.com AMGEvents.xsd"> 
- <Product id="A!ert Manager M > 

<Version>Ox04070000</Version> 
<Disp!ayName>Alert Manager 4.7</DisplayName> 

- <Language id="0407"> 

<Version>Ox01000002</Version> 

- <Event id="l"> 

<LONGDESCRIPT>Das ist eine Test-Nachricht von Alert 

Manager. </LONGDESCRIPT> 
<SHORTDESCRIPT>Testing</SHORTDESCRIPT> 

< Severity > 5 </Se ve rity > 
<EnabIed>l</Enabled> 

</Event> 
</Language> 

- <Language id="0409"> 

<Version>0x01000002</Version> 

- <Event id = "l"> 

<LONGDESCRIPT>This is an alert manager test 

messge.</LONGDESCRIPT> 
<SHORTDESCRI PT> Testing </SHORTDESCRIPT> 

< Severity >0</Seve rity > 
<Enabled>K/Enab!ed> 

</Event> 

- < Event id = "2"> 

<LONGDESCRIPT>Text of event 2.</L0NGDESCRIPT> 
<SHORTDESCRIPT>Testing</SHORTDESCRIPT> 
<Severity> 1</Severity> 
</Event> 

- <Event id="3"> 

<LONGDESCRIPT>Text of event 3.</LOIMGDESCRIPT> 
<SHORTDESCRIPT>Testing</SHORTDESCRIPT> 
<Severity> 1</Severity> 
</Event> 

- <Event id="4"> 

<LONGDESCRIPT>Text of event 4.</L0NGDESCRIPT> 
<SHORTDESCRIPT>Testing</SHORTDESCRIPT> 
<Severity > 1</Severity > 
</Event> 
</Language> 
</Product> 
</AMGEvents> 
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<?xml version="1.0" encoding="UTF-8" ?> 

<!— edited with XKL Spy v4.0.1 V (htcp: //www. xmlspy . com) oy NapalE. 



- <xs:schema targetNamespace="http://www.nai.com" 
xmlns="http://www.nai.com" 

xm!ns:xs="http://www. w3.org/2001/XMLSchema" 
eiementFormDefault="qualified"> 

<xs:element name="DisplayName" type="xs:string" /> 
<xs:element name="EnabIed" type="xs:boolean" /> 

- <xs:complexType name="EventType"> 

- <xs:all> 

<xs:element ref = "LONGDESCRIPT" /> 
<xs:element ref="SHORTDESCRIPT" /> 
<xs:element ref = "Severity" /> 
<xs:element ref="Enab!ed" minOccurs="0" /> 
</xs:all> 

<xs:attribute name="id" type="xs:string" use="required" /> 
</xs:complexType> 

- <xs:complexType name="LanguageType"> 

- <xs:sequence> 

<xs: element ref = "Version" /> 
<xs:element name="Event" type="EventType" 
maxOccurs="unbounded" /> 
</xs:sequence> 

<xs:attribute name="id" type="xs:string" use="required" /> 
</xs:complexType> 

- <xs:element name="Product"> 

- <xs:complexType> 

- <xs:sequence> 

<xs:element ref="Version" /> 
<xs:element ref="DispIayName" /> 

<xs:element name="Language" type="LanguageType" 
maxOccurs="unbounded" /> 

</xs:sequence> 

<xs:attribute name="id" type="xs:string" use="required" /> 
</xs:complexType> 
</xs;element> 

- <xs:element name="AMGEvents"> 

- <xs:complexType> 

- <xs:sequence> 

<xs:element ref="Product" maxOccurs="unbounded" /> 
</xs:sequence> 
</xs : com plexTy pe > 
</xs:element> 

<xs:element name=" LONGDESCRIPT" type = "xs:string" /> 
<xs:element name="SHORTDESCRIPT" type="xs:string" /> 
<xs:element na me = "Severity" type="xs:string" /> 
<xs:element name="Version" type="xs:string" /> 
</xs: schema > 



(Kapalm! 



— > 
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